Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TrojanDownloader.zlob.500 keeps coming back [RESOLVED]


  • This topic is locked This topic is locked

#1
doc09

doc09

    New Member

  • Member
  • Pip
  • 8 posts
So far this week i've run Adware SE, CWS shredder, ewido anti-spyware, spybot search and destroy, trojan hunter, and AVG antivirus. As of now, Spybot and AVG don't find anything, but Trojan Hunter has found Bluebot.100, Adware.NewDotNet.105, and TrojanDownloader.zlob.500 every day for the past three days. It says that it removes everything, but they keep popping back up. Thanks for your help and here is my HiJackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 9:46:41 PM, on 9/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Scott Kohler\My Documents\New Folder (7)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://webcenters.co...nu/default.jsp"); (C:\Documents and Settings\Scott Kohler\Application Data\Mozilla\Profiles\default\14rsu15r.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Scott Kohler\Application Data\Mozilla\Profiles\default\14rsu15r.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35AA6F25-C541-6ABE-8756-64550DF1291B} - C:\WINDOWS\System32\etckz.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7CA647DA-457F-4086-89A6-CE80F788ADC8} - C:\WINDOWS\System32\rcmoc3260.dll (file missing)
O2 - BHO: (no name) - {A7D38554-68CD-0969-B288-136404DF1B94} - C:\WINDOWS\system32\ijpo.dll (file missing)
O2 - BHO: (no name) - {AD39EFCA-0A03-6DA1-7D24-79C2BE564694} - C:\WINDOWS\system32\ijuf.dll (file missing)
O3 - Toolbar: SuperBar - {15F94797-3E1F-4F07-9BAE-0537B44AD963} - C:\Program Files\SUPERBAR\SUPERBAR.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Protection Bar - {860c2f6b-ca82-4282-9187-beccbb66f0af} - C:\Program Files\PCODEC\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [autoupd] C:\WINDOWS\autoupd\autoupd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [[email protected]@2EB923K] C:\WINDOWS\System32\Ypxfye5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ifgnunch] C:\WINDOWS\ifgnunch.exe
O4 - HKLM\..\Run: [ps5V36W] forcutl.exe
O4 - HKLM\..\Run: [dst] C:\WINDOWS\dst.exe
O4 - HKLM\..\Run: [jxagvi] c:\windows\system32\jxagvi.exe
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [Seua] C:\Documents and Settings\Scott Kohler\Application Data\drea.exe
O4 - HKCU\..\Run: [YBu9RWapl] faun20.exe
O4 - Global Startup: Windows Media PowerPoint Helper.lnk = C:\Program Files\Windows Media Components\Tools\nsppthlp.exe
O4 - Global Startup: CompuServe Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~5\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadc...ieNetworks1.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compu...hat/RTCChat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094087907936
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125446122885
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://216.176.203.1...wo/download.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://anu.popcap.co...aploader_v6.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#3
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Crossed in the ether with Armodeluxe

Edited by Crustyoldbloke, 05 September 2006 - 02:53 PM.

  • 0

#4
doc09

doc09

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is a copy of the SmitFraudFix report.

SmitFraudFix v2.83

Scan done at 22:02:04.36, Tue 09/05/2006
Run from C:\Documents and Settings\Scott Kohler\Desktop\Smitfraudfix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\migicons.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Scott Kohler\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SCOTTK~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#5
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (while in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.


1. Download and update Ewido.

First download Ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete, run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido anti-spyware, Do Not run a scan just yet


2. Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
3. Run Smitfraud Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


4. Clean out your Temporary Internet files. Proceed as follows:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.

5. Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

6. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

7. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Note: IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close Ewido and Reboot back into Normal Windows Mode

9. Run SmitfraudFix. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

10. Please Post the following logs:
  • c:\rapport.txt
  • Ewido log
  • A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.

  • 0

#6
doc09

doc09

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
here is a copy of my Rapport, ewido log, and new hijackthis log:


SmitFraudFix v2.83

Scan done at 13:38:28.32, Wed 09/06/2006
Run from C:\Documents and Settings\Scott Kohler\Desktop\Smitfraudfix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\migicons.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End






EWIDO LOG:


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:45:05 PM 9/6/2006

+ Scan result:



C:\System Volume Information\_restore{A8A74C81-1B6F-4DA5-800C-0C87008D6865}\RP628\A0118499.dll.tcf -> Downloader.Zlob.aeg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A8A74C81-1B6F-4DA5-800C-0C87008D6865}\RP625\A0117392.exe -> Downloader.Zlob.aha : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A8A74C81-1B6F-4DA5-800C-0C87008D6865}\RP628\A0118541.exe -> Downloader.Zlob.ahc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A8A74C81-1B6F-4DA5-800C-0C87008D6865}\RP628\A0117487.exe -> Trojan.Scapur.g : Cleaned with backup (quarantined).


::Report end





HijackThis Log:


Logfile of HijackThis v1.99.1
Scan saved at 2:57:48 PM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Scott Kohler\My Documents\New Folder

(7)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =

about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no

file)
N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://webcenters.co...nu/default.jsp");

(C:\Documents and Settings\Scott Kohler\Application

Data\Mozilla\Profiles\default\14rsu15r.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins

%5CSBWeb_01.src"); (C:\Documents and Settings\Scott Kohler\Application

Data\Mozilla\Profiles\default\14rsu15r.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO -

{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35AA6F25-C541-6ABE-8756-64550DF1291B} -

C:\WINDOWS\System32\etckz.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7CA647DA-457F-4086-89A6-CE80F788ADC8} -

C:\WINDOWS\System32\rcmoc3260.dll (file missing)
O2 - BHO: (no name) - {A7D38554-68CD-0969-B288-136404DF1B94} -

C:\WINDOWS\system32\ijpo.dll (file missing)
O2 - BHO: (no name) - {AD39EFCA-0A03-6DA1-7D24-79C2BE564694} -

C:\WINDOWS\system32\ijuf.dll (file missing)
O3 - Toolbar: SuperBar - {15F94797-3E1F-4F07-9BAE-0537B44AD963} -

C:\Program Files\SUPERBAR\SUPERBAR.dll (file missing)
O3 - Toolbar: Yahoo! Companion -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [autoupd] C:\WINDOWS\autoupd\autoupd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [[email protected]@2EB923K] C:\WINDOWS\System32\Ypxfye5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ifgnunch] C:\WINDOWS\ifgnunch.exe
O4 - HKLM\..\Run: [ps5V36W] forcutl.exe
O4 - HKLM\..\Run: [dst] C:\WINDOWS\dst.exe
O4 - HKLM\..\Run: [jxagvi] c:\windows\system32\jxagvi.exe
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0

-k
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter

4.5\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]

"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [Seua] C:\Documents and Settings\Scott

Kohler\Application Data\drea.exe
O4 - HKCU\..\Run: [YBu9RWapl] faun20.exe
O4 - Global Startup: Windows Media PowerPoint Helper.lnk = C:\Program

Files\Windows Media Components\Tools\nsppthlp.exe
O4 - Global Startup: CompuServe Tray Icon.lnk = C:\Program

Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~5\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD}

- C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646}

- http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~5\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net -

{F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program

Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net -

{F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program

Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} -

http://www.netbroadc...ieNetworks1.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) -

http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.syma...bin/AvSniff.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) -

http://objects.compu...hat/RTCChat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://v5.windowsupd...rols/en/x86/cli

ent/wuweb_site.cab?1094087907936
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI

Utility Class) -

http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.micros...ls/en/x86/clien

t/muweb_site.cab?1125446122885
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} -

http://216.176.203.1...wo/download.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan

Installer Class) -

http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class)

-

http://us.dl1.yimg.c...ssentials/ymmap

i_0727.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class)

- http://www.verizon.n...tivePreQual.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.

- C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development

a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc.

- C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#7
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
When you will post a log, in Notepad go to the Format menu and make sure Wordwrap is unchecked. That way there won't be line breaks when you post.

Open HijackThis and click Scan. Put a check next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
O2 - BHO: (no name) - {35AA6F25-C541-6ABE-8756-64550DF1291B} - C:\WINDOWS\System32\etckz.dll (file missing)
O2 - BHO: (no name) - {7CA647DA-457F-4086-89A6-CE80F788ADC8} - C:\WINDOWS\System32\rcmoc3260.dll (file missing)
O2 - BHO: (no name) - {A7D38554-68CD-0969-B288-136404DF1B94} - C:\WINDOWS\system32\ijpo.dll (file missing)
O2 - BHO: (no name) - {AD39EFCA-0A03-6DA1-7D24-79C2BE564694} - C:\WINDOWS\system32\ijuf.dll (file missing)
O3 - Toolbar: SuperBar - {15F94797-3E1F-4F07-9BAE-0537B44AD963} - C:\Program Files\SUPERBAR\SUPERBAR.dll (file missing)
O3 - Toolbar: Protection Bar - {860c2f6b-ca82-4282-9187-beccbb66f0af} - C:\Program Files\PCODEC\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [[email protected]@2EB923K] C:\WINDOWS\System32\Ypxfye5.exe
O4 - HKLM\..\Run: [ifgnunch] C:\WINDOWS\ifgnunch.exe
O4 - HKLM\..\Run: [ps5V36W] forcutl.exe
O4 - HKLM\..\Run: [dst] C:\WINDOWS\dst.exe
O4 - HKLM\..\Run: [jxagvi] c:\windows\system32\jxagvi.exe
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Seua] C:\Documents and Settings\Scott Kohler\Application Data\drea.exe
O4 - HKCU\..\Run: [YBu9RWapl] faun20.exe
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadc...ieNetworks1.exe
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://216.176.203.1...wo/download.exe


Close all other windows except HijackThis and click Fix Checked. Reboot when done.

Next,

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also please post a new HijackThis log.
  • 0

#8
doc09

doc09

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I fixed the items you indicated in HijackThis, but when I ran combofix, it must have closed on its own and when it did, it erased everything on my desktop, which is now blank. Please let me know the best way to get things back on my desktop. Also, here is my new HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 13:47, on 06-09-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Scott Kohler\My Documents\New Folder (7)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://webcenters.co...nu/default.jsp"); (C:\Documents and Settings\Scott Kohler\Application Data\Mozilla\Profiles\default\14rsu15r.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Scott Kohler\Application Data\Mozilla\Profiles\default\14rsu15r.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [autoupd] C:\WINDOWS\autoupd\autoupd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Global Startup: Windows Media PowerPoint Helper.lnk = C:\Program Files\Windows Media Components\Tools\nsppthlp.exe
O4 - Global Startup: CompuServe Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~5\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compu...hat/RTCChat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094087907936
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125446122885
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#9
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Try opening task manager (CTRL+ALT+DEL)

Under Processes tab,

If explorer.exe is running, kill it by selecting it and clicking End Task.

Then go to File > New Task and type: explorer.exe

If it wasn't running directly do the New Task.

See if that brings the icons back. Also try rebooting.

Download WinPFind2.zip and unzip it to a convenient location. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.
  • Open the folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings and then in the AddOn-Options box click the checkboxes for
    • HKCU_IEDesktop.def
    • Policies.def
    • SID_Run_Policies.def
    to select them.
  • Under File Options click Select All
  • Under Other Options put a check to both Show All boxes
  • Please maximize the window in order to be able to view the Status Bar.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is, click on it to uncheck it and then please post that report into this topic. After posting please check if the whole report fit into the post. If it did fit, it should say <End of Report> at the end. If not, please post the section that was cut off in a second post.

  • 0

#10
doc09

doc09

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Rebooting the computer worked to get things back to normal. I tried Combofix again and this time everything worked just fine. I don't have time to download and run Winpfind tonite, so i'll run it tomorrow, but in the mean time, here is the combofix report and another hijackthis log just to be redundant. Thanks as always,

Combofix:

Scott Kohler - 06-09-07 22:37:44.11
ComboFix 06.09.07 - Running from: C:\Documents and Settings\Scott Kohler\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-07 to 2006-09-07 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-29 19:51 -------- d-------- C:\Program Files\Remove on Reboot
2006-08-29 19:49 -------- d-------- C:\Documents and Settings\Scott Kohler\Application Data\TrojanHunter
2006-08-29 18:43 -------- d-------- C:\Program Files\TrojanHunter 4.5
2006-08-28 22:50 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-08 09:50 777472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2006-08-08 09:50 27904 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"autoupd"="C:\\WINDOWS\\autoupd\\autoupd.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"WebCamRT.exe"=""
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFREE.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"NAV7A25"="C:\\WINDOWS\\System32\\regsvr32.exe /s c:\\PROGRA~1\\NORTON~1\\NAVResc.dll"
"0000 - C:\\Documents and Settings\\Scott Kohler\\Start Menu\\Programs\\HP DeskJet 610C Series v11.2"="C:\\WINDOWS\\command.com /c rmdir \"C:\\Documents and Settings\\Scott Kohler\\Start Menu\\Programs\\HP DeskJet 610C Series v11.2\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"HPScanPatch"="C:\\WINDOWS\\SYSTEM32\\HPScanFix.exe"
"hpsysdrv"="C:\\WINDOWS\\SYSTEM32\\hpsysdrv.exe"
"USBMMKBD"="usbmmkbd.exe"
"TCASUTIEXE"="TCAUDIAG.EXE -off"
"LT DAEMON"="\"C:\\WINDOWS\\SYSTEM32\\ltdaemon.exe\""
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM32\\STIMON.EXE"
"$EnterNet"="C:\\PROGRAM FILES\\EFFICIENT NETWORKS\\ENTERNET 300\\APP\\EnterNet.exe -AutoStart"
"NAV Agent"="c:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job

Completion time: 06-09-07 22:41:26.60
ComboFix3.txt
ComboFix2.txt
ComboFix.txt





HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 22:45, on 06-09-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Scott Kohler\My Documents\New Folder (7)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://webcenters.co...nu/default.jsp"); (C:\Documents and Settings\Scott Kohler\Application Data\Mozilla\Profiles\default\14rsu15r.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Scott Kohler\Application Data\Mozilla\Profiles\default\14rsu15r.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [autoupd] C:\WINDOWS\autoupd\autoupd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - Global Startup: Windows Media PowerPoint Helper.lnk = C:\Program Files\Windows Media Components\Tools\nsppthlp.exe
O4 - Global Startup: CompuServe Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~5\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compu...hat/RTCChat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094087907936
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125446122885
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#11
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
I had asked for the WinPFind2 log to take a look at the registry entries for the desktop, since the issue is resolved there's no need to run it.

Both logs look clean. :whistling:

But to make sure we're not leaving anything behind, let's run an online scan.

Please do an online scan with Kaspersky WebScanner. If you have any quarantined items in your antivirus, please delete those archives before the scan.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#12
doc09

doc09

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the report from the online scan:

06-09-08 15:02
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/09/2006
Kaspersky Anti-Virus database records: 221897


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
M:\
N:\

Scan Statistics
Total number of scanned objects 65027
Number of viruses found 8
Number of infected objects 25 / 0
Number of suspicious objects 0
Duration of the scan process 01:33:19

Infected Object Name Virus Name Last Action
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\SCHEDLOG.TXT Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\Program Files\GIB\dropcharge.exe Infected: not-a-virus:[bleep]-Dialer.Win32.Generic skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe/data0005 Infected: not-a-virus:AdWare.Win32.EZula skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe/data0008/data0002 Infected: not-a-virus:AdWare.Win32.Broadcap.c skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe/data0008 Infected: not-a-virus:AdWare.Win32.Broadcap.c skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe NSIS: infected - 5 skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4b.exe/data0002/data0120 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4b.exe/data0002 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4b.exe/data0003 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4b.exe NSIS: infected - 3 skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4b.exe/data0002/data0120 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4b.exe/data0002 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4b.exe/data0003 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4b.exe NSIS: infected - 3 skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.ec skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe/data0005 Infected: not-a-virus:AdWare.Win32.EZula skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe/data0006 Infected: Trojan.Win32.SecondThought.h skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe/data0008/data0002 Infected: not-a-virus:AdWare.Win32.Broadcap.c skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe/data0008 Infected: not-a-virus:AdWare.Win32.Broadcap.c skipped

C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe NSIS: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\Scott Kohler\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Scott Kohler\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Scott Kohler\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Scott Kohler\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Scott Kohler\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Scott Kohler\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Scott Kohler\Desktop\Smitfraudfix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Scott Kohler\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Scott Kohler\Application Data\AVG7\Log\emc.log Object is locked skipped

C:\Documents and Settings\Scott Kohler\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\System Volume Information\_restore{A8A74C81-1B6F-4DA5-800C-0C87008D6865}\RP636\change.log Object is locked skipped

C:\System Volume Information\_restore{A8A74C81-1B6F-4DA5-800C-0C87008D6865}\RP628\A0118553.exe Infected: Trojan-Downloader.Win32.Zlob.ahn skipped

Scan process completed.
  • 0

#13
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
C:\Program Files\GIB\dropcharge.exe

Kaspersky flagged this as a dialer, do you know what this program GIB is? Is it something you installed?

Delete these files:

C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files4b.exe
C:\Documents and Settings\Default User\My Documents\Data\all_files4b.exe
C:\Documents and Settings\Default User\My Documents\Data\all_files4.exe

Other than those, it's clean. How is the computer running now, do you have any problems left?
  • 0

#14
doc09

doc09

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
My computer seems to be working fine now, and I'm glad that you think things look ok. The only thing is that under windows explorer, I don't have a "Default User" folder in C:/Documents and Settings. Obviously I can't delete those files since I can't find them.

Thank you so much for helping me out with my computer issue, I hope this doesn't happen again.
  • 0

#15
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Default User folder is a hidden system folder, look again after doing this:

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

When done, change the file view settings back.

Now let's reset your restore points.

Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'

Next goto Start Menu > Run > type

cleanmgr

click OK, when Disk Cleanup opens goto the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created. To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Please take the following into consideration to maintain a clean computer.

Now you should go get a firewall. Don't rely on the Windows firewall as it monitors only incoming traffic. Pick one of these, they are all free.
Kerio
Zonealarm
Outpost
Sygate

I'll also recommend you to install a monitoring software which will monitor certain areas on your computer and will place alerts when those are being modified. One such software I'll recommend is Prevx, but it's for advanced users as the messages it displays can be hard to decipher. One other similar but more user friendly software is Winpatrol. Both are free programs.
Winpatrol
Prevx

Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP